Skip to content

Latest commit

 

History

History
58 lines (50 loc) · 3.13 KB

dedosfuscator.md

File metadata and controls

58 lines (50 loc) · 3.13 KB
Raw

De-DOSfuscator

De-DOSfuscator is a Python script included with flare-qdb that instruments cmd.exe to decode obfuscated batch scripts by executing them.

The name is a play on Daniel Bohannon's paper, DOSfuscation: Exploring the Depths of Cmd.exe Obfuscation and Detection Techniques.

The tool lives at flareqdb/scripts/deDOSfuscator.py and is installed by setup.py as a Python entry point. It can be invoked from the Python scripts directory (which in some cases may be added to the Windows path).

Its usage follows:

C:\Users\myself>dedosfuscator.exe --help
usage: dedosfuscator-script.py [-h] [--logdir LOGDIR] [--getoff path_to_cmd]
                               [--useoff symbolic_offset] [--fDumpParse]
                               [--nerf] [--sympath SYMPATH]
                               [--getpdb path_to_cmd]
                               [--dbghelp path_to_dbghelp_dll]

DeDOSfuscator: de-obfuscate batch files by executing them. You can get the
needed symbol offsets by running this script on a network-connected machine
with the --getoff switch which expects the path to a copy of the version of
cmd.exe that you plan to use in your isolated malware analysis environment.
You can then pass the resulting symbolic offset as an argument to the --useoff
switch which will use it for hooking cmd.exe. Once DeDOSfuscator is running,
change to the directory where your malicious batch file is located (in your
isolated or safe analysis environment), and invoke the batch file. If you
can't remember whether you're running under the DeDOSfuscator, type REM
status.

optional arguments:
  -h, --help            show this help message and exit
  --logdir LOGDIR       Override logging directory. Default: %CD%
  --getoff path_to_cmd  Get symbolic offsets for specified copy of cmd.exe
  --useoff symbolic_offset
                        Use symbolic offsets
  --fDumpParse          Use cmd-native AST dumping via fDumpParse
  --nerf                Don't allow commands to execute. Mutually exclusive
                        with --fDumpParse. Warnings: (1) In many cases your
                        malicious batch file will not work with this switch
                        enabled. (2) No guarantee is implied or expressed that
                        this will protect your system -- especially if you
                        provide invalid/incorrect offsets! (3) You won't be
                        able to exit normally, so instead exit by hitting
                        Ctrl+C.
  --sympath SYMPATH     Override symbol path. Default: SRV*C:\Symbols*http://m
                        sdl.microsoft.com/download/symbols
  --getpdb path_to_cmd  Just get the PDB for the specified copy of cmd.exe
  --dbghelp path_to_dbghelp_dll
                        Override path to a copy of dbghelp.dll. Default:
                        %CD%\dbghelp.dll

For examples and further context, see the blog: Cmd and Conquer: De-DOSfuscation with flare-qdb